Amy Muntz - 28/Jun/06 12:08 PM Jim - please add changeset number of source.jsp checkin (from yesterday) and resolve to Mamye for verification. Thanks.

Jim Grandy - 29/Jun/06 03:41 PM Please test against known exploits. Also please test to ensure that source viewing in the refguide and devguide still work.

Yossie Silverman - 29/Jun/06 05:17 PM The fix, as it is, is only partial and really quite a hack. I can envision plenty of cases where one might want to use .. in a path to source.jsp and other file opening code within openlaszlo. Using the java security manager is fraught with problems. After examining how to use it, I find that it is rather simplistic and limited - there appears to be no way to limit a sub-policy to an arbitrarily deployed (location) webapp - also there is no allow-everything-but facility. In our case there is no clear way to make it work. I think the correct thing would be to audit all the locations in our code where file reading with tainted file path (supplied by user) takes place and do something along the lines of: 1) get the "real path" (with all ..'s compressed out, etc.. for the file. 2) make sure that it is located within the webapp directory tree or return an error to that effect. 3) add the ability to define other directory roots that are permissible (could be done later on). Mind you, this is all off the top of my head. I am sure there are other security implications in the code, in various places. We have done quite well so far in limiting them, but I don't believe we have ever done a dedicated security audit on our codebase.

Henry Minsky - 10/Jul/06 08:10 PM fixed by change #1283 in legals

Jim Grandy - 10/Jul/06 08:23 PM Reopening to integrate into lps-3.3

Jim Grandy - 11/Jul/06 02:14 AM Revised change integrated as change 43572